So I come from windows background and new to SSh. We are in Linux environment now and as much as I like SSh and see its benefits, what I have realized is that it can be implemented in different ways. Now, for the longest times, we have been using ssh with public/privte key which works exactly like how it is described in this digital ocean article
- We used key-gen with our email to create a private/public key and then copied .PUB file to the server
- Just keep on ssh-ing to the server without having to enter any password
Now, I came across another model where another team uses this .pem file and they have to use this .pem file to ssh to the server every time. According to them, it is more secure. To me, it’s just more work. Anyways, my question is simple
- What is benefit of using .Pem file?
- How is it better than the ssh model that we are using?
I have host A in AWS as an EC2 instance.
I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the
-l argument, AND if I turn off strict host checking with
I would strongly prefer to leave strict host checking on even though I “know” this is the correct host because I’m interacting with the AWS interface, getting the ip/dns from them, and I’m inside of my own little VPC world.
It seems like the only way to provide the fingerprint -> host mapping is by providing it in a
Is that correct?
If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary
known_hosts file that I can read when I’m logging into the EC2 instance?
WHAT I DO NOT WANT TO DO
ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?
- Turn off
StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I’m going to need to know how to do this in general. (By
this I mean how to use SSH fingerprints to validate the identity of the host I’m connecting to, based on the key that I have.)
- Mess around with
ssh-add. I want to write this to a file that’s easy to lockdown access to, not put it into a running process.